Did Google do the right thing?
There's a bit of debate brewing over whether or not Google did the right thing by posting a Windows 8.1 security vulnerability to the public before Microsoft was able to release a patch. The disclosure came from Google's Project Zero program, which hunts down vulnerabilities in software and alerts its findings to vendors "in as close to real-time as possible." Vendors are then given a 90-day deadline to issue a patch, and in this case, Microsoft didn't react in time.
Here's what happened. A Google researcher discovered a vulnerability in Windows 8.1 that could give low-level users administrator rights. The Project Zero team communicated its findings with Microsoft, and when the 90-day deadline came and went without a patch a few days ago, they went ahead and posted the exploit details online.
"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google," reads a comment in reply to the disclosure. "My reading of the disclosure is that it's your average local privilege escalation vulnerability. That's bad and unfortunate, but it's also a fairly typical class of vulnerability, and not in the same class as those that keep people like me up at night patching servers. The sad reality is that these sort of vulnerabilities are a dime a dozen on Windows, and the situation on Linux is pretty comparable. But disclosing it with zero context strikes me as the wrong approach."
"Agree with comment #5. This OS is run by billions. Exposing vulnerabilities like this has far reaching consequences. People could get hurt by this and it doesn't bring anyone closer to a solution. I find it difficult to believe that MSFT and GOOG don't have red-telephone access to each other if needed," another reader commented.
Not everyone shared the same opinion.
"Attackers are not going to take the day off because it's the Holidays. Microsoft dropped the ball, did not perform a security assessment of the new features before releasing them into production, and now have to deal with the consequences," a reader pointed out.
There was a bit of confusion as to whether Google even contacted Microsoft about the security flaw, which it in fact did back in September. Google points out that its initial report included the 90-day disclosure deadline, a policy that's been in place since the team was formed last year.
However, not everyone agrees with the lack of flexibility in Project Zero's policy, especially when the deadline falls during a holiday break and affects millions of PCs.
"We are working to release a security update to address an Elevation of Privilege issue," Microsoft said in a statement, according to Engadget. "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
What's your opinion on this? Should Google have waited a bit longer, or does this fall squarely on Microsoft's shoulders for failing to respond within 90 days?
Follow Paul on Google+, Twitter, and Facebook
Get more out of Google Drive
FTC settles charges with Snapchat
